package org.springframework.security.oauth2.server.authorization.token;

import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import org.springframework.lang.Nullable;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.endpoint.OAuth2AuthorizationRequest;
import org.springframework.security.oauth2.core.oidc.IdTokenClaimNames;
import org.springframework.security.oauth2.core.oidc.endpoint.OidcParameterNames;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwsHeader;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
import org.springframework.security.oauth2.jwt.JwtEncoder;
import org.springframework.security.oauth2.jwt.JwtEncoderParameters;
import org.springframework.security.oauth2.server.authorization.OAuth2TokenType;
import org.springframework.security.oauth2.server.authorization.client.RegisteredClient;
import org.springframework.security.oauth2.server.authorization.settings.OAuth2TokenFormat;
import org.springframework.security.oauth2.server.authorization.token.JwtEncodingContext;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/spring-security-oauth2-authorization-server-1.0.2.jar:org/springframework/security/oauth2/server/authorization/token/JwtGenerator.class */
public final class JwtGenerator implements OAuth2TokenGenerator<Jwt> {
    private final JwtEncoder jwtEncoder;
    private OAuth2TokenCustomizer<JwtEncodingContext> jwtCustomizer;

    public JwtGenerator(JwtEncoder jwtEncoder) {
        Assert.notNull(jwtEncoder, "jwtEncoder cannot be null");
        this.jwtEncoder = jwtEncoder;
    }

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // org.springframework.security.oauth2.server.authorization.token.OAuth2TokenGenerator
    @Nullable
    public Jwt generate(OAuth2TokenContext oAuth2TokenContext) {
        Instant plus;
        if (oAuth2TokenContext.getTokenType() == null) {
            return null;
        }
        if (!OAuth2TokenType.ACCESS_TOKEN.equals(oAuth2TokenContext.getTokenType()) && !OidcParameterNames.ID_TOKEN.equals(oAuth2TokenContext.getTokenType().getValue())) {
            return null;
        }
        if (OAuth2TokenType.ACCESS_TOKEN.equals(oAuth2TokenContext.getTokenType()) && !OAuth2TokenFormat.SELF_CONTAINED.equals(oAuth2TokenContext.getRegisteredClient().getTokenSettings().getAccessTokenFormat())) {
            return null;
        }
        String str = null;
        if (oAuth2TokenContext.getAuthorizationServerContext() != null) {
            str = oAuth2TokenContext.getAuthorizationServerContext().getIssuer();
        }
        RegisteredClient registeredClient = oAuth2TokenContext.getRegisteredClient();
        Instant now = Instant.now();
        SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RS256;
        if (OidcParameterNames.ID_TOKEN.equals(oAuth2TokenContext.getTokenType().getValue())) {
            plus = now.plus(30L, (TemporalUnit) ChronoUnit.MINUTES);
            if (registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm() != null) {
                signatureAlgorithm = registeredClient.getTokenSettings().getIdTokenSignatureAlgorithm();
            }
        } else {
            plus = now.plus((TemporalAmount) registeredClient.getTokenSettings().getAccessTokenTimeToLive());
        }
        JwtClaimsSet.Builder builder = JwtClaimsSet.builder();
        if (StringUtils.hasText(str)) {
            builder.issuer(str);
        }
        builder.subject(oAuth2TokenContext.getPrincipal().getName()).audience(Collections.singletonList(registeredClient.getClientId())).issuedAt(now).expiresAt(plus);
        if (OAuth2TokenType.ACCESS_TOKEN.equals(oAuth2TokenContext.getTokenType())) {
            builder.notBefore(now);
            if (!CollectionUtils.isEmpty(oAuth2TokenContext.getAuthorizedScopes())) {
                builder.claim("scope", oAuth2TokenContext.getAuthorizedScopes());
            }
        } else if (OidcParameterNames.ID_TOKEN.equals(oAuth2TokenContext.getTokenType().getValue())) {
            builder.claim(IdTokenClaimNames.AZP, registeredClient.getClientId());
            if (AuthorizationGrantType.AUTHORIZATION_CODE.equals(oAuth2TokenContext.getAuthorizationGrantType())) {
                String str2 = (String) ((OAuth2AuthorizationRequest) oAuth2TokenContext.getAuthorization().getAttribute(OAuth2AuthorizationRequest.class.getName())).getAdditionalParameters().get("nonce");
                if (StringUtils.hasText(str2)) {
                    builder.claim("nonce", str2);
                }
            }
        }
        JwsHeader.Builder with = JwsHeader.with(signatureAlgorithm);
        if (this.jwtCustomizer != null) {
            JwtEncodingContext.Builder authorizationGrantType = JwtEncodingContext.with(with, builder).registeredClient(oAuth2TokenContext.getRegisteredClient()).principal(oAuth2TokenContext.getPrincipal()).authorizationServerContext(oAuth2TokenContext.getAuthorizationServerContext()).authorizedScopes(oAuth2TokenContext.getAuthorizedScopes()).tokenType(oAuth2TokenContext.getTokenType()).authorizationGrantType(oAuth2TokenContext.getAuthorizationGrantType());
            if (oAuth2TokenContext.getAuthorization() != null) {
                authorizationGrantType.authorization(oAuth2TokenContext.getAuthorization());
            }
            if (oAuth2TokenContext.getAuthorizationGrant() != null) {
                authorizationGrantType.authorizationGrant(oAuth2TokenContext.getAuthorizationGrant());
            }
            this.jwtCustomizer.customize(authorizationGrantType.build());
        }
        return this.jwtEncoder.encode(JwtEncoderParameters.from(with.build(), builder.build()));
    }

    public void setJwtCustomizer(OAuth2TokenCustomizer<JwtEncodingContext> oAuth2TokenCustomizer) {
        Assert.notNull(oAuth2TokenCustomizer, "jwtCustomizer cannot be null");
        this.jwtCustomizer = oAuth2TokenCustomizer;
    }
}
